Expert: Certified Microsoft applications reach security pinnacle

Eight of Microsoft’s widely used applications now have the highest assurance level for information security thought possible for commercial products, a security expert said today.

The company announced today that six varieties of Microsoft Windows Server 2003 and two varieties of Microsoft Windows XP now meet Evaluation Assurance Level (EAL) 4+ of the Common Criteria.

The Common Criteria are a set of internationally recognized standards of assurance for sharing classified information among government agencies. Meeting those standards is essential for companies to win federal contracts that include handling classified information.

EAL 4 probably is the highest assurance level that a complex, commercially developed product can achieve, said Helmut Kurth, chief scientist and lab director at atsec, an information technology security-consulting firm. Kurth wrote the security standards on which the Common Criteria are based.

Higher EAL levels are possible only with applications that are designed initially with security as their driving force, Kurth said. EAL certifications range from 1 to 7, and 7 is the highest.

“EAL 4 has become a kind of standard for all general-purpose operating systems,” Kurth said. Sun Solaris, IBM AIX and Microsoft Windows 2000 have all achieved that certification, he said.

EAL 4 reasonably assures users that their operating systems, together with firewalls and other security measures, will protect them from standard attacks, Kurth said.

The “+” in the EAL 4+ rating means that the certified application exceeds the requirements for compliance, Kurth said.

Microsoft configured the applications submitted for evaluation to reflect configurations that customers actually run, instead of stripped-down versions that would get certified more easily, said Steven Lipner, Microsoft’s senior director of security engineering strategy.

By doing that, Microsoft allows application users to trust more of the applications’ security functions, Kurth said. Users “don’t have to violate the evaluation just for the purpose of gaining something useful,” he said.

By acquiring Common Criteria certification, “customers can have a higher degree of confidence that the security features in those products meet independent standards for completeness, consistency and quality,” Lipner said.

Microsoft is working on Common Criteria certification for other products, including its new Windows Vista operating system, Lipner said.


  • Federal 100 Awards
    Federal 100 logo

    Fed 100 nominations are now open

    Help us identify this year's outstanding individuals in federal IT.

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.